ISE subordinate CA

Brian McPhillips · ‎09-09-2013

Guys,

Having a lot of bother with getting ISE to work with a subordindate CA. We are implementing a wireless Proof of concept for our customer useing ISE as the security element.

The customer would rather not change any settings on the root CA and would like to use a sub CA for scep. Im not sure what the setup should look like with the Root and Sub ca.

Should ise be signed by the sub CA if we are using the sub for scep? Or can we point the scep server to the Root when setting up the NDES service on the scep server?

At the minute the ISE node is signed by the root CA. When i add the sub as the scep server it submits successfully but recevie NDES errors and prompts from apple devices saying the response from the scep server is incorrect. I can post any errors if that helps. Just looking guidance as I have no real experience with certs at all. Thanks

Update: Error on the scep server is:

The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (0x80090005). Bad Data.

aqjaved · ‎09-10-2013

Cisco ISE relies on public key infrastructure (PKI) to provide secure communication for the following:

•Client and server authentication for Transport Layer Security (TLS)-related Extensible Authentication Protocol (EAP) protocols

•HTTPS communication between your client browser and the management server

Cisco ISE provides a web interface for managing PKI credentials. There are two types of credentials:

•Local certificates—Used to identify the Cisco ISE server to other entities such as EAP supplicants, external policy servers, or management clients. Local certificates are also known as identity certificates. Along with the local certificate, a private key is stored in Cisco ISE to prove its authenticity.

Cisco ISE identifies when a local certificate is about to expire and logs a warning in the audit logs. The expiration date also appears in the local certificate list page (Administration > System > Certificates > Local Certificates). The audit log message is logged in the catalina.out file. You can download this file as part of the support bundle (Operations > Troubleshoot > Download Logs). The catalina.out file will be available in this directory: support\apache_logs. There are two types of audit log messages that provide information on local certificate expiration warnings:

–Certificate expiring in < 90 days—AuditMessage: 34100: Certificate.ExpirationInDays, Certificate.IssuedBy, Certificate.CertificateName, Certificate.IssuedTo

–Certificate has expired—AuditMessage: 34101: Certificate.ExpirationDate, Certificate.IssuedBy, Certificate.CertificateName, Certificate.IssuedTo

•Certificate authority certificates—Used to verify remote certificates that are presented to Cisco ISE. Certificate authority certificates have a dependency relation that forms a Certificate Trust List (CTL) hierarchy. This hierarchy connects a certificate with its ultimate root certificate authority (CA) and verifies the authenticity of the certificate.

Please Check the below link for managing the Certificates in ISE.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1064991

Muhammad Munir · ‎09-12-2013

Hi

To help enable certificate provisioning functions for the variety of mobile devices that users can register on the network, Cisco ISE enables you to configure one or more Simple Certificate Enrollment Protocol (SCEP) Certificate Authority (CA) profiles to point Cisco ISE to multiple CA locations. The benefit of allowing for multiple profiles is to help ensure high availability and perform load balancing across the CA locations that you specify. If a request to a particular SCEP CA goes unanswered three consecutive times, Cisco ISE declares that particular server unavailable and automatically moves to the CA with the next lowest known load and response times, then it begins periodic polling until the server comes back online.

For more information and step by step configuration, please go through this link:

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf

Brian McPhillips · ‎09-17-2013

Thanks Guys for the documentation. I have tested using a sub ca with Ndes running directly on the same server. I have also setup a server just running Ndes which points to the Root CA. Im getting the exact same message for both.

"The Network Device Enrollment Service cannot decrypt the client's PKCS7 message (0x80090005). Bad Data."

Going to try to upgrade to 1.2 but not totally sure if the issue lies with ISE or Windows cert setup.

fbconaway · ‎09-17-2013

We discovered the same issue today. If you find a resolution, please post it. Thanks!

Admin Eastland · ‎09-18-2013

I get this error in 1.2. The Microsoft suggested troubleshooting for this error is to turn on CAPI2 logging. As best as I can figure that error message as it looks from the application event viewer is pretty generic. I'm going to try CAPI2 today. The only good thing regarding this issue and 1.2 that you must not be seeing in your version is I'm also getting error messages in ISE. one message says that a cert has already been issued for the user, but looking on NDES that claim is false. The other error says something to the effect that ISE received an incorrect challenge password. I have three generated errors and the information provided has got me no closer to a solution. I'm like you; NDES is not something I'm really proficient with. I'm might have to really get my brain wrapped around it if I'm going to figure this out.

Have you tried to authenticate using a Windows machine? Is it possible to test that? The reason I ask is that the Network Setup Client that is pushed from ISE places a log at %temp% that May or may not give you clues. In my case the log was generic. Something like a 1006 error and that ISE could not communicate with the cert server.

Brian McPhillips · ‎09-20-2013

Hi Admin,

I had looked at the CAPI2 stuff as well but it doesnt really make any sense to me or doesnt give any clues as to what the issue is!

I have tried Apple, Android and windows. These are the errors I get on the windows laptop when i run the Setup assistant and it fails. I would be interested to see if anyone has managed to get a Sub CA working or an ndes server redirecting to the root as below.

Ise > ndes server > root CA

Ise > Sub CA NDES > Sub CA

[Fri Sep 20 11:16:46 2013] Warning - [HTTPConnection] InternetOpen() failed with code: [12029]

[Fri Sep 20 11:16:46 2013] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [4] secs , Error: [2]

[Fri Sep 20 11:17:11 2013] Warning - [HTTPConnection] InternetOpen() failed with code: [12029]

[Fri Sep 20 11:17:11 2013] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [4] secs , Error: [2]

[Fri Sep 20 11:17:36 2013] Warning - [HTTPConnection] InternetOpen() failed with code: [12029]

[Fri Sep 20 11:17:36 2013] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [4] secs , Error: [2]

[Fri Sep 20 11:18:01 2013] Warning - [HTTPConnection] InternetOpen() failed with code: [12029]

[Fri Sep 20 11:18:01 2013] Failed to get certificate from server - Error: [2]

[Fri Sep 20 11:18:01 2013] Failed to generate scep request. Error code: [0]

Admin Eastland · ‎09-20-2013

Yep me too. The information I got from CAPI2 was worthless. I ran a packet capture on the NDES for one of my sessions, and basically saw that the request for the SCEP url was made by ISE, and it looks the a key is attached. The NDES gets the message and pretty much responds with "OK: and then end of conversation. NDES/SCEP has no return message. 2 messages are generated on ISE one saying that a cert already exsists for the user, and the other says that there is no session currently active with the key provided.

This does not seem as though this should be real difficult. I don't get it.

Good luck!

Brian McPhillips · ‎09-25-2013

Guys,

Just an update for you. I have it working! To make it worse i went ahead and logged a Microsoft ticket for £200 and it started working on the same day. Its working on the ndes relay setup. Havent tested on the Sub CA setup

ise > seperate ndes server > root CA server

Anyway not 100% sure what has happened to get it working but our customer informed me that ios 7 was not working for self registration. i applied the new 1.2 patch 2 to see if that resolved the issue.

I had the MS engineer going through the server setup and he was just getting started really and was following the same steps to enable MSCEP logging as we have tried before. He did restart the Root CA services and the reset IIS on the Ndes server. I'm sure we done this before though. I went to test again and it worked. I have tested on Android, Apple Ipod and Windows 8 and it look ok. it takes a few goes sometimes but it will work.

SO in short i'm not sure if the patch has resolved this but if someone else wants to try it and let me know if it works for them.

http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp409736

blenka · ‎09-27-2013

Kindly find the link below and follow the page 32 and 33 will help you to address your query.

http://www.cisco.com/web/CZ/ciscoconnect/2013/pdf/T-SEC2-ISE_Prakticky_MDM-Jiri_Tesar.pdf